some updates to code.

    clean up the code separate directory for case_studies
    add some files for case_studies

Author: seehwan80

case_studies/00.set_env/00.check_security_env.py

@@ -0,0 +1,93 @@
+import subprocess
+import os
+import re
+
+SYSCALLS = ["mprotect", "mmap", "execve", "execveat", "mremap", "ptrace"]
+
+def run_command(cmd, require_sudo=False):
+    """Run command, adding sudo only if required and not already root"""
+    if require_sudo and os.geteuid() != 0 and cmd[0] != "sudo":
+        cmd.insert(0, "sudo")
+    return subprocess.check_output(cmd, stderr=subprocess.STDOUT).decode()
+
+def check_apparmor():
+    print("[AppArmor       ] Checking AppArmor status...")
+    try:
+        output = run_command(["aa-status"])  # no sudo needed
+        enforce_profiles = re.search(r"(\d+)\s+profiles are in enforce mode", output)
+        python_profile = "/usr/local/bin/python3.14" in output
+        if enforce_profiles:
+            print(f"[AppArmor       ] ✅ {enforce_profiles.group(1)} profiles in enforce mode")
+        else:
+            print("[AppArmor       ] ❌ Not in enforce mode")
+        print("[AppArmor profile] ✅ Loaded for Python3.14"
+              if python_profile else "[AppArmor profile] ❌ Not loaded for Python3.14")
+    except Exception as e:
+        print(f"[AppArmor       ] ❌ Error: {e}")
+
+def check_seccomp():
+    print("[Seccomp         ] Checking seccomp mode...")
+    try:
+        with open("/proc/self/status") as f:
+            for line in f:
+                if line.startswith("Seccomp:"):
+                    mode = int(line.strip().split()[1])
+                    if mode == 0:
+                        print("[Seccomp         ] ✅ Disabled (mode 0)")
+                    elif mode == 1:
+                        print("[Seccomp         ] ⚠️  Strict mode (1)")
+                    elif mode == 2:
+                        print("[Seccomp         ] ⚠️  Filter mode (2)")
+                    else:
+                        print(f"[Seccomp         ] ❓ Unknown mode: {mode}")
+                    return
+        print("[Seccomp         ] ❌ Not found")
+    except Exception as e:
+        print(f"[Seccomp         ] ❌ Error: {e}")
+
+def check_auditd():
+    print("[Auditd          ] Checking auditd status...")
+    try:
+        status = subprocess.check_output(["systemctl", "is-active", "auditd"],
+                                         stderr=subprocess.STDOUT).decode().strip()
+        if status == "active":
+            print("[Auditd          ] ✅ Running (systemd)")
+        else:
+            print(f"[Auditd          ] ❌ Status: {status}")
+    except subprocess.CalledProcessError:
+        print("[Auditd          ] ❌ Not running or not installed")
+
+def apply_syscall_rules():
+    print("[Auditd rules    ] ➕ Applying missing syscall rules...")
+    for syscall in SYSCALLS:
+        try:
+            run_command(["auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", syscall], require_sudo=True)
+            print(f"✅ Rule added for: {syscall}")
+        except subprocess.CalledProcessError as e:
+            print(f"❌ Failed to add rule for {syscall}: {e}")
+        except Exception as e:
+            print(f"❌ Exception adding rule for {syscall}: {e}")
+
+def check_auditd_rules():
+    print("[Auditd rules    ] Checking syscall audit rules...")
+    try:
+        rules_output = run_command(["auditctl", "-l"], require_sudo=True)
+        syscall_rules = [line for line in rules_output.splitlines() if re.search(r"-S\s+\w+", line)]
+
+        if syscall_rules:
+            print(f"[Auditd rules    ] ✅ Found {len(syscall_rules)} syscall rules")
+        else:
+            print("[Auditd rules    ] ❌ No syscall rules — applying now")
+            apply_syscall_rules()
+
+    except subprocess.CalledProcessError as e:
+        print(f"[Auditd rules    ] ❌ Error: {e.output.decode().strip()}")
+    except Exception as e:
+        print(f"[Auditd rules    ] ❌ Exception: {e}")
+
+if __name__ == "__main__":
+    print("=== [ Trampoline Overwrite Experiment Pre-Check + Auto Patch ] ===")
+    check_apparmor()
+    check_seccomp()
+    check_auditd()
+    check_auditd_rules()

case_studies/00.set_env/apparmor_profile_usr.local.bin.python3.14

@@ -0,0 +1,22 @@
+#include <tunables/global>
+
+/usr/local/bin/python3.14 {
+    include <abstractions/base>
+    deny capability,
+    allow capability dac_override,
+    allow capability dac_read_search,
+    allow capability sys_admin,
+
+    deny /proc/** r,
+    deny /dev/** rw,
+
+    /usr/local/bin/python3.14 rix,
+    /usr/local/lib/python3.14/** rix,
+    /usr/local/lib/python3.14/lib-dynload/** r,
+    /users/seehwan/cpython/** rix,
+    /users/seehwan/python-arm64/bin/** rix,
+    /users/seehwan/python-arm64/lib/python3.14/** r,
+    /users/seehwan/python-arm64/lib/python3.14/site-packages/** rix,
+    /users/seehwan/cpython/jit_poc/** rix,
+}
+

case_studies/00.set_env/build_and_setup.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# Exit on any error
+set -e
+
+echo "Step 1: Building Python extensions..."
+python3.14 setup.py build_ext --inplace
+if [ $? -ne 0 ]; then
+    echo "Error: Failed to build Python extensions"
+    exit 1
+fi
+
+echo "Step 2: Copying .so files to ../run_dir..."
+# Create run_dir if it doesn't exist
+mkdir -p ../run_dir
+cp *.so ../run_dir/
+cp *.bin ../run_dir/
+if [ $? -ne 0 ]; then
+    echo "Error: Failed to copy .so files"
+    exit 1
+fi
+
+echo "Step 3: Copying AppArmor profile..."
+sudo cp apparmor_profile_usr.local.bin.python3.14 /etc/apparmor.d/usr.local.bin.python3.14
+if [ $? -ne 0 ]; then
+    echo "Error: Failed to copy AppArmor profile"
+    exit 1
+fi
+
+echo "Step 4: Reloading AppArmor profile..."
+sudo apparmor_parser -r /etc/apparmor.d/usr.local.bin.python3.14
+if [ $? -ne 0 ]; then
+    echo "Error: Failed to reload AppArmor profile"
+    exit 1
+fi
+
+echo "Step 5: Running security environment check..."
+python3.14 00.check_security_env.py
+if [ $? -ne 0 ]; then
+    echo "Error: Security environment check failed"
+    exit 1
+fi
+
+echo "It's ready to go!" 

case_studies/00.set_env/jitleak.c

@@ -0,0 +1,64 @@
+#define PY_SSIZE_T_CLEAN
+#include <Python.h>
+#include <stdio.h>
+#include <stdint.h>
+
+// executor 구조 추정
+typedef struct {
+    PyObject_HEAD
+    void* unused0;
+    void* jit_code;  // native function pointer
+    // ... 생략된 필드들
+} _PyExecutorObject;
+
+// _Py_GetExecutor 선언 (CPython 내부 API)
+extern _PyExecutorObject* _Py_GetExecutor(PyCodeObject *code, int offset);
+
+static PyObject* leak_executor_jit(PyObject* self, PyObject* args) {
+    PyObject* py_func;
+
+    if (!PyArg_ParseTuple(args, "O", &py_func)) {
+        return NULL;
+    }
+
+    if (!PyFunction_Check(py_func)) {
+        PyErr_SetString(PyExc_TypeError, "Expected a Python function");
+        return NULL;
+    }
+
+    PyCodeObject* code = (PyCodeObject*)PyFunction_GetCode(py_func);
+    printf("[*] code object @ %p\n", code);
+
+    // 여러 바이트코드 offset에서 executor를 시도해봄
+    for (int offset = 0; offset < 512; offset += 2) {
+        _PyExecutorObject* executor = _Py_GetExecutor(code, offset);
+        if (executor && executor->jit_code) {
+            printf("[*] executor found at offset %d\n", offset);
+            printf("[*] executor @ %p\n", executor);
+            printf("[*] executor->jit_code @ %p\n", executor->jit_code);
+	    PyErr_Clear();
+            return PyLong_FromVoidPtr(executor->jit_code);
+        }
+    }
+
+    PyErr_SetString(PyExc_RuntimeError, "No JIT code found in any offset");
+    return NULL;
+}
+
+static PyMethodDef Methods[] = {
+    {"leak_executor_jit", leak_executor_jit, METH_VARARGS, "Leak executor JIT native code"},
+    {NULL, NULL, 0, NULL}
+};
+
+static struct PyModuleDef mod = {
+    PyModuleDef_HEAD_INIT,
+    "jitexecleak",
+    NULL,
+    -1,
+    Methods
+};
+
+PyMODINIT_FUNC PyInit_jitexecleak(void) {
+    return PyModule_Create(&mod);
+}
+

case_studies/00.set_env/jitremap.c

@@ -0,0 +1,42 @@
+// jitremap.c - C 확장 모듈: JIT code cache에 대해 mprotect 시도
+
+#define PY_SSIZE_T_CLEAN
+#include <Python.h>
+#include <sys/mman.h>
+#include <stdint.h>
+#include <errno.h>
+
+static PyObject* jit_remap(PyObject* self, PyObject* args) {
+    unsigned long addr;
+    size_t size;
+    int prot;
+
+    if (!PyArg_ParseTuple(args, "kki", &addr, &size, &prot)) {
+        return NULL;
+    }
+
+    int result = mprotect((void*)addr, size, prot);
+    if (result != 0) {
+        return Py_BuildValue("(i,s)", result, strerror(errno));
+    }
+
+    Py_RETURN_TRUE;
+}
+
+static PyMethodDef JitRemapMethods[] = {
+    {"remap", jit_remap, METH_VARARGS, "Change memory protection of given address."},
+    {NULL, NULL, 0, NULL}
+};
+
+static struct PyModuleDef jitremapmodule = {
+    PyModuleDef_HEAD_INIT,
+    "jitremap",   // name of module
+    "JIT remapping module for testing mprotect.",
+    -1,
+    JitRemapMethods
+};
+
+PyMODINIT_FUNC PyInit_jitremap(void) {
+    return PyModule_Create(&jitremapmodule);
+}
+

case_studies/00.set_env/ok.bin

@@ -0,0 +1,41 @@
+#define _GNU_SOURCE
+#include <stddef.h>              // 👈 offsetof
+#include <linux/seccomp.h>
+#include <linux/filter.h>
+#include <linux/audit.h>
+#include <linux/unistd.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+
+int install_seccomp() {
+    struct sock_filter filter[] = {
+        // Load syscall number
+        BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
+
+        // If syscall == mprotect → kill
+        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_mprotect, 0, 1),
+        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
+
+        // Otherwise → allow
+        BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
+    };
+
+    struct sock_fprog prog = {
+        .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+        .filter = filter,
+    };
+
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        perror("prctl(NO_NEW_PRIVS)");
+        return -1;
+    }
+    if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+        perror("prctl(SECCOMP)");
+        return -1;
+    }
+
+    return 0;
+}

case_studies/00.set_env/secfilter.c

@@ -0,0 +1,8 @@
+from setuptools import setup, Extension
+
+setup(
+    name="jitexecleak",
+    version="0.1",
+    ext_modules=[Extension("jitexecleak", ["jitleak.c"])],
+)
+